An Introduction, Benefits, Enablers and Challenges – white paper summary

1 © ETSI 2012. All rights reserved

Quantum-safe cryptography and security:

Mark Pecen - ETSI 2nd Quantum-Safe Crypto Workshop (October 2014)

The ETSI Quantum-Safe Whitepaper, 2014

Primary purpose is to help raise awareness

of the potential impacts of quantum

computing on information security globally

• Threat of quantum computing to the

effectiveness of the current cryptographic state

of the artof the art

• Possibilities for risk mitigation –quantum-safe

cryptographic techniques – economic and

technical practicalities

• Economic and technical challenges to the

deployment of quantum-safe security and the

role and impact of global standards

Document is 49 pages long, library

identifier ISBN 979-10-92620-03-0

2 © ETSI 2012. All rights reserved

Recent research in quantum computing

Credible threat to conventional

state-of-the-art information

security

Current data protection

mechanisms rely on computational mechanisms rely on computational

difficulty using conventional

computing

3 © ETSI 2012. All rights reserved

We survey the current state-of-the-art

Quantum computing challenges our notion of computational

hardness, because certain types of hard problems for a

conventional computer become trivial for a quantum computer:

● Integer factorization

● Discrete logarithms

We examine some of the most widely-deployed cryptosystems in

security products today including

● Rivest Shamir Adleman (RSA)

● Elliptic Curve cryptography (ECC)

● Diffie-Hellman key generation

All of these cryptosystems will be broken by large-scale quantum

computers

4 © ETSI 2012. All rights reserved

What, exactly, is vulnerable?

CRYPTOSYSTEMSthat have been built on the

presumed difficulty of discrete

SECURITY PROTOCOLS relying upon any of

PRODUCTSwhich derive their

security from these

● Basically, anything that’s been encrypted and residing on mass

storage instantly becomes available to anyone with access to a

quantum computing platform!

5 © ETSI 2012. All rights reserved

presumed difficulty of discrete log or integer factorization

relying upon any of these cryptosystems

security from these protocols and cryptosystems

Consider a definition for “Quantum-Safe”

1. Cryptography based upon problems that

neither classical nor quantum computers

can efficiently solve:

● Code-based cryptography

● Lattice-based cryptography● Lattice-based cryptography

● Multivariate quadratic cryptography

● Hash-based digital signatures

2. Cryptosystems that use basic physical laws

of quantum mechanics to protect data:

Quantum key distribution

6 © ETSI 2012. All rights reserved

Discussions – general to fairly specific

Survey of current state-of-the-art

• Elliptic Curve Cryptography (ECC)

• Rivest Shamir Adleman (RSA)

Quantum-safe approaches

• Computational quantum safe approaches, e.g.

code-based, lattice-based, hash-based, etc.code-based, lattice-based, hash-based, etc.

• Quantum Key Distribution (QKD), etc.

Examination of security protocols

potentially to upgrade

• X.509 certificates

• Internet key exchange version 2 (IKEv2)

• Transport layer security (TLS) version 1.2

• S/MIME

• Secure shell (SSH) version 2 7 © ETSI 2012. All rights reserved

Fields of application

Use cases such as:

● Encryption of endpoint devices

● Network infrastructure encryption

● Cloud storage and computing

● Big data, machine learning, and ● Big data, machine learning, and

data mining

● SCADA systems for industrial control

Industries such as:

● Medicine, biotechnology, & health

● Financial services

● Mobile networks

8 © ETSI 2012. All rights reserved

Economics of upgrading

Managing technology switching costs

• Cost and complexity to quantum-safe a system

Challenges to quantum-safety

• Some network security protocols may be too

rigid to accommodate the increased key lengthsrigid to accommodate the increased key lengths

• Changes in ciphers may be required to make

them quantum-safe – expensive & impractical

• Standardisation requires time – start soon

Risk management

• Economic view of security risks

• An insurance model view

• The role of standards

9 © ETSI 2012. All rights reserved

Practical considerations – how urgent?

It depends on the category of information and how long it needs

to be protected

• x: how many years we need our encryption to be secure

• y: how many years it will take us to make our IT infrastructure quantum-

safe

• z: how many years before a large-scale quantum computer will be built

10 © ETSI 2012. All rights reserved

Not all data are equal

The value of x must be carefully considered:

• What are the practical consequences of a certain category of information

becoming public knowledge after x number of years?

• For example, would it be a problem if your credit card numbers of today

are made available to everyone in the world after x = 5 years? Probably

not, because its very likely that you would have a new credit card issued, not, because its very likely that you would have a new credit card issued,

having a new expiry date and security code.

On the other hand, if your personal identity information is made

public after x = 5 years, you may be exposed to identity theft and

any resulting consequences.

Caution is also required for other information categories such as

top-secret military information, e.g. the orbits of secret military

satellites, location of military bases and their resources and

capabilities - defining the value of x is a non-trivial matter

11 © ETSI 2012. All rights reserved

Conclusions and way forward

Quantum computing indeed poses a

credible threat to conventional information

security systems

The ICT community nevertheless has the

ability to analyse and better understand

this threat and its consequences for the this threat and its consequences for the

various categories of information that

requires protection

Recommendations and opportunities for

further work are presented

• Recommendations for enterprises

• Recommendations for security product vendors

• Opportunities for further research

12 © ETSI 2012. All rights reserved

Special thanks to our contributors

Authors:Matthew Campagna, Ph.D., IQC AffiliateLidong Chen, Ph.D, Mathematician, National

Institute of Standards and TechnologyDr Özgür Dagdelen, TU DarmstadtJintai Ding, Ph.D. Department of Mathematical

Sciences, University of Cincinnati

Mark Pecen, Approach Infinity, Inc.Ray Perlner, Computer Scientist, National Institute of Standards and TechnologyGrégoire Ribordy, PhD, Chief Executive Officer, ID QuantiqueJohn M. Schanck, Institute for Quantum Computing -University of WaterlooDr Douglas Stebila, Queensland University of Sciences, University of Cincinnati

Jennifer K. Fernick, B.Sc, Institute for Quantum Computing, University of Waterloo

Nicolas Gisin, Department of Applied Physics, University of Geneva, Switzerland

Donald Hayford, National Security Division, BattelleNorbert Lütkenhaus, PhD, Institute for Quantum

Computing, University of WaterlooMichele Mosca, D.Phil., Institute for Quantum

Computing, University of WaterlooBrian Neill, CISSP, CSSLP, Institute for Quantum

Computing, University of Waterloo

13 © ETSI 2012. All rights reserved

Dr Douglas Stebila, Queensland University of TechnologyNino Walenta, Ph.D., BattelleWilliam Whyte, D. Phil., Chief Scientist, Security InnovationDr Zhenfei Zhang, Security Innovation Inc.Other contributors:Sarah Kaiser, B.Sc, Institute for Quantum Computing, University of WaterlooAlbrecht Petzold, Technical University of DarmstadtDaniel Smith-Tone, Mathematician, National Institute of Standards and TechnologyAssistant Professor, University of Louisville